CyberWire Daily - Buckets leak, but so do CDs. NotPetya and Sandworm. Fruitfly versus Macs. ISIS strained in cyberspace. A look at dark web souks. Hacked fish tank.
Episode Date: July 24, 2017In today's podcast, we hear about the wisdom of attending to your AWS Access Control Lists. Wells Fargo data leaked in the course of e-discovery. NotPetya fallout and investigation. The Islamic ...State's presence in cyberspace is getting a bit threadbare. Fruitfly has been buzzing through Macs, quietly, for a decade. Palo Alto Networks' Rick Howard describes a new security framework. Other dark web souks are poised to take the place of Alpha Bay and Hansa Market. And Ocean's 11 meet the IoT. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
AWS misconfigurations leak data, so pay attention to your access control lists.
Wells Fargo data is leaked in the course of e-discovery. We've got more not-pet-you-fall-out in investigation. Thank you. and Hansa Market, and Ocean's Eleven meet the IoT.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, July 24, 2017.
We've heard a lot recently about misconfigured Amazon Web Services S3 data buckets and the sensitive data found exposed in them. Configuration, as Amazon points
out, is the customer's responsibility and not Amazon's. After all, it's up to the customer to
decide what they want to protect and what they want to share and with whom they want to share it.
And Amazon has a point. Access control lists govern who can see the contents of an S3 bucket
and users of Amazon Web Services should look at their buckets
to ensure that public read access is enabled only where it's supposed to be.
Of course, where there's data, there's risks,
and some of those risks are more earthbound than any cloud.
Witness Wells Fargo's misfortune.
The bank learned this past week that outside counsel it had retained
mistakenly shipped CDs in the course of discovery
to an
attorney representing a former Wells Fargo employee suing another employee for defamation.
The CDs contained personal and financial information on about 50,000 high net worth
customers. The mistake must be particularly galling given that Wells Fargo is not even a
party to the lawsuit. This may not only be a third-party breach, but at least a fourth-party breach as well.
The outside counsel, which the New York Times identified as Bressler, Amory & Ross,
says it used an outside vendor in the course of e-discovery.
Bressler, Amory & Ross have asked that the data be returned.
The plaintiff who received them said it's fortunate he's a good guy.
A less scrupulous person would have spread the info all over the internet.
Companies affected by NotPetya are still working on recovery and damage assessment.
Maersk and other victims emphasize one point. Customer data do not appear to have been
compromised in the attacks. WannaCry and NotPetya continue to look like state-sponsored works of disruption.
We heard from security firm FireEye, who's working with the Ukrainian National Police
on the investigation. They note that the Sandworm team has a history of attacking Ukraine.
FireEye says it has more technical evidence of connections between Sandworm and NotPetya.
They also note that Sandworm has a history of destructive wiper attacks,
which effectively the last round of NotPetya amounted to.
Sandworm has also shown a predilection for hitting Ukrainian targets.
FireEye points out that evidence of Russian government responsibility is,
given the sort of information available, inevitably circumstantial.
As they conclude, however,
inevitably circumstantial. As they conclude, however, quote, we can't be 100% sure that it's a state-sponsored group, but there are many strong signs that point toward this, end quote.
Both WannaCry and NotPetya propagated rapidly. Comparable spreader technology is appearing in
other strains as well. Fidelis has been tracking spreader functionality as it's been added to the widely used Emotet loader,
so we haven't seen the last of such rapidly metastasizing attacks.
The Islamic State's recent setbacks on the ground have cost ISIS territory,
and much of its pretension to being a government, even as Interpol circulates a list of 173 suspected members of the caliphate suicide units.
ISIS has maintained its Russian-language propaganda service,
but other operations in cyberspace are showing signs of strain.
Malwarebytes and SYNAC are tracking Mac malware
that's quietly infested the Mac ecosystem for years, going largely undetected.
Fruitfly, as it's called, is regarded as both primitive and
mysterious. Its infection mechanism and purpose both remain unclear. In industry news, healthcare
cybersecurity startup Protennis has received an additional $3 million in funding, bringing its
Series A total to $7 million. Niotron, which offers a threat-agnostic defensive solution designed to be effective against
unknown threats, has raised $21 million in its recent funding round.
Authorities are expected to continue to look for more participants in dark web contraband
markets.
Demand will in all likelihood shift elsewhere now that AlphaBay and HansaMarket have been
taken down.
likelihood shift elsewhere now that AlphaBay and HansaMarket have been taken down. AlphaBay was successor to Silk Road as the black market leader, and HansaMarket was called, until its takedown
last week, the world's most secure darknet marketplace. There are other dark web markets
out there. We heard about some of them from Patrick Martin, a cybersecurity analyst at RepNight,
a firm specializing in the dark web. Martin points out
that these markets aren't all about drugs and guns. They're also a marketplace for stolen data
and corporate intellectual property. He said, quote, the shutdown of AlphaBay and Hansa is
certainly great news, but when you consider that 80% of the internet is made up of the deep and
dark web, you realize that these two sites are only the tip of the iceberg, end quote. Some of the other big markets that are still in operation include Dream Market, Valhalla, and Wall Street Market.
Martin says they're already seeing criminals who supplied wares to AlphaBay and Hansa Market shift their operations over to these.
So it's a good idea to keep an eye out for the possibility of your data being traded on the
dark web. But that said, it's not a good idea to do so yourself. As Martin puts it, quote,
the dark web is definitely not safe surfing. Signing up to dark web sites yourself is really
not a good idea, not only because of the disturbing nature of other things you'll come across, but
also the risk of getting phished by cyber criminals or a knock on the door from the police, end quote. So look to the experts and get some help.
Finally, in what sounds like a high-concept caper movie, crooks found their way into a casino and
exfiltrated data to a command and control server in Finland. The casino is somewhere in North
America, but that's all investigators are saying.
But here's where the high concept gets high, cats.
The hackers got in through the IoT,
specifically through a smart fish tank on display in the casino.
Security firm Darktrace, which investigated,
says that the hoods exploited a recently introduced device
and used their access to bypass the casino's other,
normally formidable defenses. The kind of fish in the tank are unknown, a recently introduced device and used their access to bypass the casino's other normally
formidable defenses. The kind of fish in the tank are unknown, but they were probably just
innocent bystanders. Danny Ocean, call your office and bring the Rat Pack with you.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated
Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son. And now, a message from the world. From Searchlight Pictures. Stream Nightbitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks,
and he also heads up Unit 42, which is their Threat Intel team. Rick, you've got an interesting
announcement here, a pretty broad announcement about Palo Alto has developed an application framework.
Give us the details here.
What's going on?
Well, you know, you and I have talked about how many vendors there are in the cybersecurity space.
When I went to RSA this year, there were over 650 of them trying to display their wares.
I know because I talked to a lot of them.
And every one of them, you know, has the very best idea that's going to save the Internet.
If I would just take their product, I would be secure forever.
That's right.
Even if I found one that I liked and it did save the Internet, I still have to deploy it and manage it.
And it's just really hard and very expensive. And I call that the
security vendor mambo, the dance that all network defenders must do to install a product.
And what the vendors don't tell you, though, is that their product alone won't be enough,
right? In order to completely cover the attack lifecycle, network defenders like me,
we have to do the same security vendor mambo dance with
several products. I've been out talking to lots of people. Small organizations have at least 20
different tools, security tools that they've deployed. Medium-sized companies, they've deployed
at least 50. And large organizations like the big financials, they have over 200 tools deployed just
for security. What this tells me is that the security product consumption
model is broken. Network defenders like me consume those products. It's too hard to do, and so it's
ripe for disruption. And the organizations that could get this done are the firewall vendors.
You know, we're a firewall vendor, but there are others. And if you just consider what a firewall
does, okay, the firewall is the one security tool that every network defender has deployed.
They have other things, but everybody has a firewall.
They're very complex systems, and they do many tasks.
But if you reduce the idea of a firewall to its basic functions, it really does three things.
First is a way to collect intelligence and telemetry on internet traffic
coming in and leaving your organization. That's one. Second, it is a processing engine that looks
at the intelligence and telemetry to determine malicious behavior. And finally, it is an
enforcement point that network defenders can use to either automatically block malicious behavior
or manually block that behavior once a human has looked at it. So
what firewall vendors have done in the last couple of years is they've moved the data collection and
processing functions out to the cloud, right? There are lots of reasons for this, but mainly
for all intents and purposes, vendors have infinite storage capacity and processing power
in the cloud where the deployed firewall does not. You know, it's kind of a finite thing.
So, and if a vendor wants to add a new service to the firewall, say like an anti-APT or maybe
an intelligence analytical service, vendors build that as an application in the cloud
and not as a new hardware service for the deployed physical platform.
So, the vendor collects the data in the cloud, the new anti-APT
service runs its algorithms on the cloud data, and then sends blocking decisions back down to
the infrastructure to its customers. So that's kind of where the industry has gone the last
couple of years. If you take that evolution and think about what could happen next, the consumption
model for security products could get flipped on its head.
This disruptive logical next step is for firewall vendors to allow those other 650 tools to use the
same infrastructure that is already deployed for the firewall. Instead of network defenders doing
the security vendor mambo for 20 or 50 or 200 tools.
Firewall vendors will allow those same security tools to run as applications on top of the data cloud and use the deployed physical firewall as the enforcement point.
So consuming a new security product will become as easy as it is to download the next Angry Birds game to your iPhone.
That's what we're going for here, right? So network defenders will go to the security app store, download the cool new security tool they saw at RSA in the last conference,
turn it on, and then the security window mambo, that dance we always have to do now, will be replaced by an on-off switch. That's where we're going. We call it the application framework.
That is a fantastic name. I know it's really sexy. But I expect all the
firewall vendors will offer something similar in the very near future. All right. So the bottom
line to all this application framework is a completely disruptive idea and is the next
logical extension of automatic orchestration, vendors making it easier to deploy security tools.
All right. Rick Howard, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
And that's the Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.